Skip to content

Latest commit

 

History

History
179 lines (117 loc) · 6.11 KB

File metadata and controls

179 lines (117 loc) · 6.11 KB

Security FAQ — Secure by Demand

Answers to the questions packagers, distros, and security-conscious users are expected to ask under the CISA Secure by Demand Guide (Aug 2024). Five subject areas, in CISA's order. Updated each release.

1. Authentication

Q: What authentication does Springtale use for its own surfaces?

The vault uses an Argon2id-derived key from the user's passphrase. Shipped parameters: 64 MiB memory, t=3, p=4 — well above the OWASP baseline of 19 MiB / t=2 / p=1. There is no remote authentication — Springtale runs on the user's own machine and binds its management API to 127.0.0.1 by default with HMAC-SHA256 bearer tokens.

Q: Phishing-resistant MFA?

For the maintainer GitHub / crates.io / PyPI / npm publishing accounts: FIDO2 (WebAuthn / passkeys) is required at org level. No SMS.

For end users: hardware-FIDO2 is on the roadmap as a second factor for vault unlock. Not yet shipped.

Q: Default passwords?

None. Vault has no default passphrase; user sets one in onboarding. API tokens are generated per-install. There is no admin-shell account.

2. Eliminating classes of vulnerability

Q: Memory safety?

100% Rust. SolidJS frontend in WebKit (memory-safe JS). Python via pyo3 is not a sandbox and is only used for the cooperation API. Full inventory in docs/security/MEMORY-SAFETY.md.

Q: SQL injection?

All database access flows through springtale-store. Queries use rusqlite::params! or sqlx::query_as! (compile-time verified). A CI lint fails on any format!("SELECT|INSERT|UPDATE-style query string outside test code.

Q: XSS?

SolidJS auto-escapes. innerHTML and dangerouslySetInnerHTML are CI-banned. Tauri webview runs a nonce-based strict CSP with require-trusted-types-for 'script'.

Q: OS command injection?

std::process::Command requires explicit argv arrays. bash -c and shell-string construction are CI-banned. Connector shell capability requires explicit allow-listed binary paths and triggers blocking user approval.

Q: Path traversal?

Filesystem connector canonicalizes every path against an explicit base scope declared in the connector manifest. Refusal on traversal.

Q: TLS?

rustls exclusively. native-tls, openssl-sys, and openssl are banned at the workspace level (deny.toml + [patch] stub). TLS 1.3 only. PQ hybrid X25519+ML-KEM-768 KEX rolling out 2026 Q4.

Q: Secret handling?

Secret<T> from secrecy wraps every credential. zeroize on drop. expose_secret() requires // SECURITY: annotation enforced by clippy custom-disallowed-method lint.

3. Evidence of intrusions

Q: Logging?

tracing writes structured JSON logs to local files. Audit events (authentication, vault unlock, connector load, capability denials, panic wipe, manifest verify failures) go into an append-only SQLite table with row hash chaining in springtale-sentinel.

Q: Telemetry?

Zero. Forever. There is no path to add telemetry. Anyone proposing a PR for it is told to read CONTRIBUTING.md §"What we won't merge."

Q: Export of local logs?

User-triggered export. No automatic upload anywhere.

Q: Tamper evidence?

Audit log row hash chain; vault file integrity tag (AEAD).

4. Supply chain security

Q: SBOM?

CycloneDX 1.7 (primary) + SPDX 2.3 (secondary) per release. Generated by the sbom.yml workflow. Components include Rust, npm, Python, and CBOM (cryptographic algorithms) + ML-BOM (configured AI adapters). Signed with Sigstore cosign.

Q: SLSA?

Targeting SLSA Build Level 3 via slsa-framework/slsa-github-generator on GitHub-hosted runners.

Q: Signed releases?

Yes. Sigstore cosign keyless (GitHub OIDC). .cosign.bundle published next to every release artifact. Recipe in docs/operations/verifying-releases.md.

Q: Pinned dependencies?

Cargo.lock, pnpm-lock.yaml, uv.lock committed. cargo --locked and pnpm install --frozen-lockfile in CI. GitHub Actions SHA-pinned (see docs/security/CI-TRUST.md).

Q: Provenance for third-party deps?

cargo vet audit graph in supply-chain/audits.toml, imports from Mozilla/Google/Bytecode Alliance audits. deny.toml policy gates licenses, sources, advisories, bans.

Q: Connector sandbox?

Community connectors run in Wasmtime: 10M instructions, 64MB memory, 30s wall-clock. Manifest Ed25519-signed; verified on every load. Capability allow-list with exact host matching for network egress.

Q: Dependency confusion / typosquatting?

.npmrc registry-pinned to registry.npmjs.org/. ignore-scripts=true blocks post-install scripts (CISA Shai-Hulud mitigation). Scoped names (@springtale/) for first-party packages. cargo deny check bans denies new top-level deps without sign-off.

5. Vulnerability disclosure

Q: How do I report a vuln?

GitHub Security Advisories (preferred) or email k1104jackson@hotmail.com. Full policy: SECURITY.md. Also published as RFC 9116 security.txt at /.well-known/security.txt.

Q: SLA?

72h acknowledgement, 7d triage, 30d fix on private branch, public disclosure window negotiated. ≤24h ack and ≤14d fix for user-safety class bugs (identity leak, duress detectability, panic wipe defeat, telemetry).

Q: Safe harbor?

We will not pursue legal action against good-faith security research.

Q: CVE issuance?

GitHub Advisories CNA proxy is the path today. The maintainer files a GitHub Security Advisory in this repo's Security tab and clicks "Request CVE" to get an ID assigned under GitHub's CNA scope. The full step-by-step flow + the trigger conditions and application process for Springtale registering as a direct CVE Numbering Authority (once we hit ≥1 CVE / quarter sustained for 4 quarters with a 90-day disclosure track record) are documented in INCIDENT-RUNBOOK.md § On becoming a CNA.

Q: PGP?

Maintainer PGP key listed on the GitHub profile. Unencrypted reports also accepted.

Verification

This document is reviewed each release. Inconsistencies between this FAQ and the running system should be filed as a security-doc-drift issue.